��������  ����Linux

Appendix B. Samba Configuration Option Quick Reference

The first section of this appendix lists each option that can be used in a Samba configuration file, which is usually named smb.conf. Most configuration files contain a global section of options that apply to all services (shares) and a separate section for various individual shares. If an option applies only to the global section, [global] appears to the right of its name in the following reference section.

Except where noted, when specifying elements of a list, the elements can be separated by spaces, tabs, commas, semicolons, escaped newlines, or escaped carriage returns.

Following this reference section is a glossary of value types, and a list of variables Samba recognizes.

abort shutdown script = command[global]

Allowable values: command

Default: NULL

Specifies a command that stops the shutdown procedure started by shutdown script. The command will be run with the UID of the connected user. New in Samba 3.0.

algorithmic rid base = number[global]

Allowable values: positive integer

Default: 1000

Specifies the base value that Samba uses when calculating Windows domain security identifier equivalents to Unix UIDs. See also non unix account range. New in Samba 3.0.

announce as = value[global]

Allowable values: NT, Win95, Wf W

Default: NT

Has Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.

announce version = value[global]

Allowable values: two numbers separated by a dot character

Default: 4.5

Instructs Samba to announce itself as a different version SMB server. Discouraged.

blocking locks = boolean

Allowable values: YES, NO

Default: YES

If YES, honors byte range lock requests with time limits. Samba will queue the requests and retry them until the time period expires.

browse list = boolean[global]

Allowable values: YES, NO

Default: YES

If YES, serves the browse list to other systems on the network. Avoid changing.

browseable = boolean

Allowable values: YES, NO

Default: YES

Synonym for browsable.

case sensitive = boolean[global]

Allowable values: YES, NO

Default: NO

If YES, uses the exact case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing. Also called casesignames.

casesignames = boolean[global]

Allowable values: YES, NO

Default: NO

Synonym for case sensitive.

change notify timeout = number[global]

Allowable values: positive number

Default: 60

Sets the number of seconds between checks when a client asks for notification of changes in a directory. Avoid lowering.

client code page = name

Allowable values: see Table 11-4 in Chapter 11

Default: 850 (MS-DOS Latin 1)

Sets the DOS code page explicitly, overriding any previous valid chars settings. Examples of values are 850 for Western European, 437 for the U.S. standard, and 932 for Japanese Shift-JIS. Obsolete starting with Samba 3.0.

comment = string

Allowable values: string

Default: NULL

Sets the comment corresponding to a share. The comment appears in places such as a net view listing or through the Network Neighborhood. See also the server string configuration option.

create mode = value

Allowable values: octal value from 0 to 0777

Default: 0744

Synonym for create mask.

debug timestamp = boolean[global]

Allowable values: YES, NO

Default: YES

Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging ). Also called timestamp logs.

debuglevel = number[global]

Allowable values: number

Default: 0

Sets the logging level used. Values of 3 or more slow Samba noticeably. Also called log level. Recommended value is 1.

default = service name[global]

Allowable values: share name

Default: NULL

Specifies the name of a service (share) to provide if someone requests a service he doesn't have permission to use or that doesn't exist. The path is set from the name the client specified, with any underscore ( _ ) characters changed to slash ( / ) characters, allowing access to any directory on the Samba server. Use is discouraged. See also load printers. Also called default service.

default case = value

Allowable values: LOWER, UPPER

Default: LOWER

Sets the case in which to store new filenames. LOWER indicates lowercase, and UPPER indicates uppercase.

default service = share name[global]

Allowable values: share name

Default: NULL

Synonym for default.

delete readonly = boolean

Allowable values: NO, YES

Default: NO

If set to YES, allows delete requests to remove read-only files. This is not allowed in MS-DOS/Windows, but it is normal in Unix, which has separate directory permissions. Used with programs such as RCS.

dfree command = command[global]

Allowable values: command

Default: varies

Specifies a command to run on the server to return free disk space. Not needed unless the Samba host system's dfree command does not work properly.

directory mode = value

Allowable values: octal value from 0 to 0777

Default: 0755

Synonym for directory mask.

directory security mask = value

Allowable values: octal value from 0 to 0777

Default: same as directory mode

Controls which permission bits can be changed if a user edits the Unix permissions of directories on the Samba server from a Windows system. Any bit that is set in the mask can be changed by the user; any bit that is clear remains the same on the directory even if the user tries to change it. Requires nt acl support = YES.

disable spools = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, Windows NT/2000/XP systems will downgrade to Lanman-style printing. Prevents printer driver uploading and downloading from working. Use with care. See also use client driver.

dns proxy = boolean[global]

Allowable values: YES, NO

Default: YES

If set to YES and if wins server = YES, looks up hostnames in DNS when they are not found using WINS.

domain logons = boolean[global]

Allowable values: YES, NO

Default: NO

Causes Samba to serve domain logons. This is one of the basic functions required when Samba is acting as the PDC.

dont descend = list

Allowable values: list of directories

Default: NULL

Prohibits a change directory or search in the directories specified. This is a browsing-convenience option; it doesn't provide any extra security.

dos filemode = boolean

Allowable values: YES, NO

Default: NO

Allows anyone with write permissions to change permissions on a file, as allowed by MS-DOS.

dos filetime resolution = boolean

Allowable values: YES, NO

Default: NO

Sets file times on Unix to match MS-DOS standards (rounding to the next even second). Recommended if using Visual C++ or a PC make program to avoid remaking the programs unnecessarily. Use with the dos filetimes option.

dos filetimes = boolean

Allowable values: YES, NO

Default: NO

Allows nonowners to change file times if they can write to the files, matching the behavior of MS-DOS and Windows. See also dos filetime resolution.

encrypt passwords = boolean[global]

Allowable values: YES, NO

Default: NO in Samba 2.2, YES in Samba 3.0

If enabled, Samba will use password encryption. Requires an smbpasswd file on the Samba server.

exec = command

Allowable values: command

Default: NULL

Sets a command to run as the user before connecting to the share. Synonym for preexec. See also the postexec, root preexec, and root postexec options.

fake oplocks = boolean

Allowable values: YES, NO

Default: NO

If set, returns YES whenever a client asks if it can lock a file and cache it locally but does not enforce the lock on the server. Results in performance improvement for read-only shares. Never use with read/write shares! See also oplocks and veto oplock files.

force create mode = value

Allowable values: octal value from 0 to 0777

Default: 0

Takes effect when a user on a Windows client creates a file that resides on the Samba server. This option ensures that bits set in this mask will always be set on the new file. Used with the create mask configuration option.

force directory mode = value

Allowable values: octal value from 0 to 0777

Default: 0

Takes effect when a user on a Windows client creates a directory on the Samba server. This option ensures that bits set in the mask will be set on every newly created directory. Used with directory mask.

force directory security mode = value

Allowable values: octal value from 0 to 0777

Default: same as force directory mode

Takes effect when a user on a Windows client edits the Unix permissions of a directory on the Samba server. This option ensures that bits set in this mask will be set on the directory. Requires nt acl support = YES.

force security mode = value

Allowable values: octal value from 0 to 0777

Default: same as force create mode

Takes effect when a user on a Windows client edits the Unix permissions of a file on the Samba server. This option ensures that bits set in the mask will always be set on the file. Requires nt acl support = YES. See also force directory security mode for directories.

force user = value

Allowable values: a single username

Default: NULL

Sets the effective username assigned to all users accessing a share. Discouraged.

fstype = string

Allowable values: NTFS, FAT, Samba

Default: NTFS

Sets the filesystem type reported to the client. Avoid changing.

group = value

Allowable values: a Unix group name

Default: NULL

Synonym for force group.

guest account = value

Allowable values: a single username

Default: varies

Sets the name of the unprivileged Unix account to use for tasks such as printing and for accessing shares marked with guest ok. The default is specified at compile time and is usually set to nobody.

guest ok = boolean

Allowable values: YES, NO

Default: NO

If set to YES, doesn't need passwords for this share. Used with security = share. Synonym for public.

guest only = boolean

Allowable values: YES, NO

Default: NO

Forces users of a share to log on as the guest account. Requires guest ok or public to be YES. Also called only guest.

hide files = slash-separated list

Allowable values: patterns, separated by / characters

Default: NULL

Specifies a list of file or directory names on which to set the MS-DOS hidden attribute. Names can contain ? or * pattern characters and % variables. See also hide dot files and veto files.

hide local users = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, hides Unix-specific dummy accounts (root, wheel, floppy, etc.) from clients.

hide unreadable = boolean

Allowable values: YES, NO

Default: NO

If set to YES, hides all unreadable files.

homedir map = name[global]

Allowable values: NIS map name

Default: NONE

Used with nis homedir to locate a user's Unix home directory from Sun NIS (not NIS+).

hosts deny = host list

Allowable values: list of hosts or networks

Default: NULL

Specifies a list of systems that cannot connect to the share. Synonym for deny hosts.

hosts equiv = filename[global]

Allowable values: name of file

Default: NULL

Specifies the path to a file of trusted systems from which passwordless logons are allowed. Strongly discouraged because Windows NT/2000/XP users can always override the username—the only security in this scheme.

include = filename

Allowable values: name of file

Default: NULL

Includes the named file in smb.conf at the line where it appears. This option accepts most variables, but not %u (user), %P (current share's root directory), or %S (current share's name) because they are not set at the time the file is read.

interfaces = interface list[global]

Allowable values: interface list

Default: NULL (all interfaces except 127.0.0.1)

Sets the interfaces to which Samba will respond. The default is the system's primary interface only. Recommended on multihomed systems or to override erroneous addresses and netmasks. Allows interface names such as eth0, DNS names, address/netmask pairs, and broadcast/netmask pairs. See also bind interfaces only.

invalid users = user list

Allowable values: user list

Default: NULL

Specifies a list of users not permitted access to the share.

keepalive = number[global]

Allowable values: number of seconds

Default: 300

Sets the number of seconds between checks for a crashed client. The value of 0 causes no checks to be performed. Setting keepalive = 3600 will turn on checks every hour. A value of 600 (every 10 minutes) is recommended if you want more frequent checks. See also socket options for another approach.

kernel oplocks = boolean[global]

Allowable values: YES, NO

Default: YES

Breaks the oplock when a local Unix process or NFS operation accesses an oplocked file, thus preventing corruption. This works only on operating systems that support kernel-based oplocks, such as Linux 2.4 and Irix. Avoid changing. See also oplocks and level2 oplocks.

lanman auth = boolean[global]

Allowable values: YES, NO

Default: YES

If set to YES, allows clients to use the (weak) LANMAN password hash used by Windows 95/98/Me. If set to NO, allows only the better NT1 hash used by Windows NT/2000/XP.

large readwrite = boolean[global]

Allowable values: YES, NO

Default: NO in Samba 2.2, YES in Samba 3.0

If set to YES, allows Windows 2000/XP to read and write 64KB at a time to improve performance. Requires Samba to be hosted by a 64-bit OS, such as Linux 2.4, Irix, or Solaris. Somewhat experimental.

level2 oplocks = boolean

Allowable values: YES, NO

Default: YES

Allows files to be cached read-only on the client when multiple clients have opened the file. This allows executables to be cached locally, improving performance.

lm announce = value[global]

Allowable values: AUTO, YES, NO

Default: AUTO

Produces OS/2 SMB broadcasts at an interval specified by the lm interval option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN manager announcement from another client before sending one out. Required for OS/2 client browsing.

lm interval = number[global]

Allowable values: number of seconds

Default: 60

Sets the time period, in seconds, between OS/2 SMB broadcast announcements.

lock dir = directory[global]

Allowable values: name of directory

Default: /usr/local/samba/var/locks

Synonym for lock directory.

lock directory = directory[global]

Allowable values: name of directory

Default: /usr/local/samba/var/locks

Sets a directory in which to keep lock files. The directory must be writable by Samba and readable by everyone. Also called lock dir.

lock spin count = number[global]

Allowable values: positive integer

Default: 2

Sets the number of attempts to attain a byte range lock. See also lock spin time.

lock spin time = number[global]

Allowable values: number of microseconds

Default: 10

Sets the number of microseconds between attempts to attain a lock. See also lock spin count.

log level = number[global]

Allowable values: number

Default: 0

Sets the logging level used. Values of 3 or more slow the system noticeably. Recommended value is 1. Synonym for debug level.

logon drive = value[global]

Allowable values: MS-DOS drive name

Default: Z:

Sets the drive to be used as a home directory for domain logons by Windows NT/2000/XP clients. See also logon home.

logon script = directory[global]

Allowable values: UNC of shared file

Default: NULL

Sets the pathname (relative to the [netlogon] share) of an MS-DOS/NT command to run on the client at logon time. Allows all % variables.

lpq cache time = number[global]

Allowable values: number of seconds

Default: 10

Sets how long to keep print queue status cached, in seconds.

machine password timeout = number

Allowable values: number of seconds

Default: 604800 (1 week)

Sets the period between (NT domain) computer account password changes.

magic output = filename

Allowable values: name of file

Default: command.out

Sets the output file for the magic scripts option. Default is the command name, followed by the .out extension.

magic script = filename

Allowable values: name of file

Default: NULL

Sets a filename for execution via a shell whenever the file is closed from the client, allowing clients to run commands on the server. The scripts will be deleted on completion, if permissions allow. Use is discouraged.

mangled map = map list

Allowable values: list of to/from pairs

Default: NULL

Sets up a table of names to remap (e.g., .html to .htm).

mangled names = boolean

Allowable values: YES, NO

Default: YES

Sets Samba to abbreviate to the MS-DOS 8.3 style names that are too long or have unsupported characters.

mangled stack = number[global]

Allowable values: number

Default: 50

Sets the size of the cache of recently mangled filenames.

mangling char = character

Allowable values: character

Default: ~

Sets the unique mangling character used in all mangled names.

mangling method = string[global]

Allowable values: hash, hash2

Default: hash

Sets the algorithm used to mangle filenames. The hash2 method is a newer method introduced in Samba 2.2.x, and it creates different filenames than the hash method.

map archive = boolean

Allowable values: YES, NO

Default: YES

If YES, Samba sets the executable-by-user (0100) bit on Unix files if the MS-DOS archive attribute is set. If used, the create mask must contain the 0100 bit.

map hidden = boolean

Allowable values: YES, NO

Default: NO

If YES, Samba sets the executable-by-other (0001) bit on Unix files if the MS-DOS hidden attribute is set. If used, the create mask option must contain the 0001 bit.

map system = boolean

Allowable values: YES, NO

Default: NO

If YES, Samba sets the executable-by-group (0010) bit on Unix files if the MS-DOS system attribute is set. If used, the create mask must contain the 0010 bit.

map to guest = value[global]

Allowable values: Never, Bad User, Bad Password

Default: Never

If set to Bad User, allows users without accounts on the Samba system to log in and be assigned the guest account. This option can be used as part of making public shares for anyone to use. If set to Bad Password, users who mistype their passwords will be logged in to the guest account instead of their own. Because no warning is given, the Bad Password value can be extremely confusing: we recommend against it. The default setting of Never prevents users without accounts from logging in.

max disk size = number[global]

Allowable values: size in MB

Default: 0 (no limit)

Sets the maximum disk size/free-space size (in megabytes) to return to the client. Some clients or applications can't understand large maximum disk sizes.

max mux = number[global]

Allowable values: number

Default: 50

Sets the number of simultaneous SMB operations that Samba clients can make. Avoid changing.

max open files = number[global]

Allowable values: number

Default: 10000

Limits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the maximum imposed by the Unix host operating system. Avoid changing.

max protocol = name[global]

Allowable values: CORE, COREPLUS, LANMAN1, LANMAN2, NT1

Default: NT1

If set, limits the negotiation to the protocol specified, or older. See min protocol. Avoid using.

max smbd processes = number[global]

Allowable values: integer

Default: 0 (no limit)

Limits the number of users who can connect to the server. Used to prevent degraded service under an overload, at the cost of refusing services entirely.

max wins ttl = number[global]

Allowable values: number of seconds

Default: 518400 (6 days)

Limits the TTL, in seconds, of a NetBIOS name in the nmbd WINS cache. Avoid changing. See also min wins ttl.

max xmit = number[global]

Allowable values: size in bytes

Default: 65535

Sets the maximum packet size negotiated by Samba. This is a tuning parameter for slow links and bugs in older clients. Values less than 2048 are discouraged.

message command = command[global]

Allowable values: command

Default: NULL

Sets the command to run on the server when a WinPopup message arrives from a client. If it does not complete quickly, the command must end in & to allow immediate return. Honors all % variables except %u (user) and supports the extra variables %s (filename the message is in), %t (destination system), and %f (from).

min password length = number[global]

Allowable values: integer

Default: 5

Sets the shortest Unix password allowed by Samba when updating a user's password on its system. Also called min passwd length.

min print space = number

Allowable values: space in kilobytes

Default: 0 (unlimited)

Sets the minimum spool space required before accepting a print request.

min protocol = name[global]

Allowable values: CORE, COREPLUS, LANMAN1, LANMAN2, NT1

Default: CORE

If set, prevents use of old (less secure) protocols. Using NT1 disables MS-DOS clients. See also lanman auth.

msdfs root = boolean

Allowable values: YES, NO

Default: NO

Makes the share a Dfs root. Requires the --with-msdfs configure option. Any symbolic links of the form msdfs:server\share will be seen as Dfs links. See also host msdfs.

name resolve order = list[global]

Allowable values: lmhosts, wins, host, bcast

Default: lmhosts, host, wins, bcast

Sets the order of lookup when trying to get IP addresses from names. The host parameter carries out a regular name lookup using the server's normal sources: /etc/hosts, DNS, NIS, or a combination of these.

netbios aliases = list[global]

Allowable values: list of NetBIOS names

Default: NULL

Adds additional NetBIOS names by which the Samba server will advertise itself.

netbios name = value

Allowable values: local hostname

Default: DNS name of system

Sets the NetBIOS name by which a Samba server is known, or the primary name if NetBIOS aliases exist. See also netbios aliases.

netbios scope = string[global]

Allowable values: string

Default: NULL

Sets the NetBIOS scope string, an early predecessor of workgroups. Samba will not communicate with a system with a different scope. This option is not recommended.

nis homedir = boolean[global]

Allowable values: YES, NO

Default: NO

If YES, the homedir map is used to look up the server hosting the user's home directory and return it to the client. The client will contact that system to connect to the share. This avoids mounting from a system that doesn't actually have the directory, which would cause the data to be transmitted twice. The system with the home directories must be an SMB server.

non unix account range = numeric range[global]

Allowable values: range of positive integers

Default: NONE

Specifies a range of Unix UIDs for Samba to use for user accounts and computer accounts that are maintained outside of /etc/passwd. The UIDs in this range must not overlap those of regular Unix users in /etc/passwd. See also algorithmic rid base. New in Samba 3.0.

nt pipe support = boolean[global]

Allowable values: YES, NO

Default: YES

Allows turning off of NT-specific pipe calls. This is a developer/benchmarking option and might be removed in the future. Avoid changing.

nt status support = boolean[global]

Allowable values: YES, NO

Default: YES

If YES, allows the use of NT-specific status messages. This is a developer/benchmarking option and might be removed in the future. Avoid changing.

null passwords = boolean[global]

Allowable values: YES, NO

Default: NO

If YES, allows access to accounts that have null passwords. Strongly discouraged.

obey pam restrictions = boolean[global]

Allowable values: YES, NO

Default: NO

If set, Samba will adhere to the PAM's account and session restrictions. Requires --with-pam configuration option.

only guest = boolean

Allowable values: YES, NO

Default: NO

Forces users of a share to log on as the guest account. Synonym for guest only. Requires guest ok or public to be YES.

only user = boolean

Allowable values: YES, NO

Default: NO

Requires that users of the share be in the list specified by the user option.

oplocks = boolean

Allowable values: YES, NO

Default: YES

If YES, supports local caching of oplocked files on the client. This option is recommended because it improves performance by about 30%. See also fake oplocks and veto oplock files.

os level = number[global]

Allowable values: integer

Default: 20

Sets the candidacy of the server when electing a browse master. Used with the domain master or local master options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95/98/Me use 1. Windows NT/2000/XP, when not acting as a PDC, use 16 and, when acting as a PDC, use 32. Warning: this can override non-Samba browse masters unexpectedly.

os2 driver map = filename[global]

Allowable values: name of file

Default: NULL

Specifies a file containing mappings of Windows NT printer driver names to OS/2 printer driver names.

pam password change = boolean[global]

Allowable values: YES, NO

Default: NO

If YES, and if Samba is configured with --with-pam, PAM is allowed to handle password changes from clients, instead of using the program defined by the passwd program parameter.

panic action = command[global]

Allowable values: command

Default: NULL

Sets the command to run when Samba panics. Honors all % variables. For Samba developers and testers, /usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d is a possible value.

passdb backend = list[global]

Allowable values: smbpasswd, smbpasswd_nua, tdbsam, tdbsam_nua, plugin

Default: smbpasswd

Specifies methods Samba uses to store and retrieve passwords when using a method other than the Unix system's /etc/passwd. See also non unix account range. New in Samba 3.0.

passwd chat = string[global]

Allowable values: sequence of strings

Default: compiled-in value

Sets the chat strings used to change passwords on the server. Supports the variables %o (old password) and %n (new password) and allows the escapes \r, \n, \t, and \s (space) in the sequence. See also unix password sync, passwd program, passwd chat debug, and pam password change.

passwd chat debug = boolean[global]

Allowable values: YES, NO

Default: NO

Logs an entire password chat, including passwords passed, with a log level of 100. For debugging only. See also passwd chat, pam password change, and passwd program.

passwd program = command[global]

Allowable values: command

Default: /bin/passwd

Sets the command used to change a user's password. Will be run as root. Supports %u (user). See also unix password sync.

password level = number[global]

Allowable values: number

Default: 0

Specifies the number of uppercase-letter permutations used to match passwords. A workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with mixed-case passwords, which can trigger account lockouts. Required for Windows 95/98/Me, plain-text passwords, and mixed-case passwords. Try to avoid using.

path = directory

Allowable values: name of directory

Default: varies

Sets the path to the directory provided by a file share or used by a printer share. If the option is omitted, it is set automatically in the [homes] share to the user's home directory; otherwise, defaults to /tmp. Honors the %u (user) and %m (machine) variables.

pid directory = directory[global]

Allowable values: name of directory

Default: /usr/local/samba/var/locks

Sets the path to the directory where PID files are located.

posix locking = boolean

Allowable values: YES, NO

Default: YES

If set to YES, Samba will map file locks owned by SMB clients to POSIX locks. Avoid changing.

postexec = command

Allowable values: command

Default: NULL

Sets a command to run as the user after disconnecting from the share. See also the preexec, root preexec, and root postexec options.

postscript = boolean

Allowable values: YES, NO

Default: NO

Forces a printer to recognize a file as PostScript by inserting %! as the first line. Works only if the printer is actually PostScript-compatible.

preexec = command

Allowable values: command

Default: NULL

Sets a command to run as the user before connecting to the share. Synonym for exec. See also the postexec, root preexec, and root postexec options.

preexec close = boolean

Allowable values: YES, NO

Default: NO

If set, allows the preexec command to decide if the share can be accessed by the user. If the command returns a nonzero return code, the user is denied permission to connect.

preferred master = boolean[global]

Allowable values: YES, NO

Default: auto

If YES, Samba is the preferred master browser. Causes Samba to call a browsing election when it comes online. See also os level.

prefered master = boolean[global]

Allowable values: YES, NO

Default: auto

Synonym for preferred master.

printable = boolean

Allowable values: YES, NO

Default: NO

Sets a share to be a print share. Required for all printers. Synonym for print ok.

printcap name = filename[global]

Allowable values: name of file

Default: /etc/printcap

Sets the path to the printer capabilities file used by the [printers] share. The default value changes to /etc/qconfig under AIX and lpstat on System V. Also called printcap.

print command = command

Allowable values: command

Default: varies

Sets the command used to send a spooled file to the printer. Usually initialized to a default value corresponding to the printing option. This option honors the %p (printer name), %s (spool file), and %f (spool file as a relative path) variables. The command must delete the spool file.

printer = name

Allowable values: printer name

Default: lp

Sets the name of the Unix printer used by the share. Also called printer name.

printer admin = user list

Allowable values: user list

Default: NULL

Specifies users who can administer a printer using the remote printer administration interface on a Windows system. The root user always has these privileges.

printer driver = name

Allowable values: exact printer driver string used by Windows

Default: NULL

Sets the string to pass to Windows when asked which driver to use to prepare files for a printer share. Note that the value is case-sensitive. Part of pre-2.2 printing system. Deprecated.

printer driver file = filename[global]

Allowable values: name of file

Default: /usr/local/samba/printers/printers.def

Sets the location of a msprint.def file. Usable by Windows 95/98/Me. Part of pre-2.2 printing system. Deprecated.

printer driver location = directory

Allowable values: UNC of shared directory

Default: \\ server\ PRINTER$

Sets the location of the driver for a particular printer. The value is the pathname of the share that stores the printer driver files. Part of pre-2.2 printing system. Deprecated.

printer name = name

Allowable values: name

Default: NULL

Synonym for printer.

printing = value

Allowable values: bsd, sysv, hpux, aix, qnx, plp, softq, lprng, cups

Default: bsd

Sets the printing style to a value other than that in which you've compiled. This sets initial values of at least print command , lpq command , and lprm command.

print ok = boolean

Allowable values: YES, NO

Default: NO

Synonym for printable.

private directory = directory[global]

Allowable values: name of directory

Default: /usr/local/samba/private

Specifies the directory used for storing security-sensitive files such as smbpasswd and secrets.tdb. New in Samba 3.0.

protocol = name[global]

Allowable values: NT1, LANMAN2, LANMAN1, COREPLUS, CORE

Default: NT1

Synonym for max protocol.

public = boolean

Allowable values: YES, NO

Default: NO

If YES, passwords are not needed for this share. Also called guest ok.

queuepause command = command

Allowable values: full path to script

Default: varies

Sets the command used to pause a print queue. Usually initialized to a default value by the printing option.

queueresume command = command

Allowable values: full path to script

Default: varies

Sets the command used to resume a print queue. Usually initialized to a default value by the printing option.

read bmpx = boolean

Allowable values: YES, NO

Default: NO

If set to YES, supports the "Read Block Multiplex" message. Avoid changing.

read only = boolean

Allowable values: YES, NO

Default: NO

Sets a share to read-only. Antonym of writable, writeable, and write ok.

read raw = boolean[global]

Allowable values: YES, NO

Default: YES

Allows clients to read data using a 64K packet size. Recommended.

read size = number[global]

Allowable values: positive integer

Default: 16384

Allows disk reads and writes to overlap network reads and writes. A tuning parameter. Do not set larger than the default.

realm = string[global]

Allowable values: Kerberos realm name

Default: NONE

Specifies the realm name for Kerberos 5 authentication. Requires the --with-krb5 configure option. New in Samba 3.0.

remote announce = remote list[global]

Allowable values: list of remote addresses

Default: NULL

Adds workgroups to the list on which the Samba server will announce itself. Specified as an IP address and optional workgroup (for instance, 192.168.220.215/SIMPLE) with multiple entries separated by spaces. Addresses can be the specific address of the browse master on a subnet or on directed broadcasts (i.e., ###.###.###.255). The server will appear on those workgroups' browse lists. Does not require WINS.

remote browse sync = list[global]

Allowable values: IP addresses

Default: NULL

Perform browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter causes Samba to locate the local master browser on that subnet.

root = directory[global]

Allowable values: name of directory

Default: NULL

Synonym for root directory.

root dir = directory[global]

Allowable values: name of directory

Default: NULL

Synonym for root directory.

root directory = directory[global]

Allowable values: name of directory

Default: /

Specifies a directory to chroot( ) before starting daemons. Prevents any access outside that directory tree. See also the wide links configuration option. Also called root and root dir.

root postexec = command

Allowable values: command

Default: NULL

Sets a command to run as root after disconnecting from the share. See also the preexec, postexec, and root preexec configuration options. Runs after the user's postexec command. Use with caution.

root preexec = command

Allowable values: command

Default: NULL

Sets a command to run as root before connecting to the share. See also the preexec, postexec, and root postexec configuration options. Runs before the user's preexec command. Use with caution.

root preexec close = boolean

Allowable values: YES, NO

Default: NO

If set, allows the root preexec command to decide if the share can be accessed by the user. If the command returns a nonzero return code, the user will be denied permission to connect.

security mask = value

Allowable values: octal value from 0 to 0777

Default: 0777

Controls which permission bits can be changed if a user on a Windows NT/2000/XP system edits the Unix permissions of files on the Samba server using the Windows system's ACL editing dialog box. Any bit that is set in the mask can be changed by the user; any bit that is clear remains the same on the file even if the user tries to change it. Requires nt acl support = YES. Note that some rarely used bits map to the DOS system, hidden, and archive bits in the file attributes in a nonintuitive way.

server string = string[global]

Allowable values: string

Default: Samba %v

Sets the name that corresponds to the Samba server in browse lists. Honors the %v (Samba version number) and %h (hostname) variables.

set directory = boolean

Allowable values: YES, NO

Default: NO

Allows the DEC Pathworks client to use the set dir command.

share modes = boolean

Allowable values: YES, NO

Default: YES

Directs Samba to support Windows-style whole-file (deny mode) locks. Do not change.

short preserve case = boolean

Allowable values: YES, NO

Default: YES

If set to YES, leaves mangled 8.3-style filenames in the case sent by the client. If NO, forces the case to that specified by the default case option. See also preserve case.

show add printer wizard = boolean[global]

Allowable values: YES, NO

Default: YES

If set, tells clients that the Add Printer Wizard can be used to add a Samba printer from Windows NT/2000/XP clients. See also add printer command, delete printer comamnd, and printer admin.

shutdown script = command[global]

Allowable values: command

Default: NONE

Specifies a command that initiates a system shutdown. The command is run with the UID of the connected user. The %m (message), %t (delay time), %r (reboot), and %f (force) options are supported. See also abort shutdown script. New in Samba 3.0.

smb passwd file = filename[global]

Allowable values: name of file

Default: /usr/local/samba/private/smbpasswd

Overrides the compiled-in path to the encrypted password file. See also encrypted passwords and private dir.

socket address = value[global]

Allowable values: IP address

Default: NULL

Sets the address on which to listen for connections. Default is to listen to all addresses.

socket options = list[global]

Allowable values: socket option list

Default: TCP_NODELAY

Sets OS-specific socket options. SO_KEEPALIVE makes TCP check clients every four hours to see if they are still accessible. TCP_NODELAY sends even tiny packets to keep delay low. Both are recommended wherever the operating system supports them.

ssl CA certDir = directory[global]

Allowable values: name of directory

Default: /usr/local/ssl/certs

Specifies a directory containing a file for each Certification Authority (CA) that the Samba server trusts so that Samba can verify client certificates. Part of SSL support. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl CA certFile = filename[global]

Allowable values: name of file

Default: /usr/local/ssl/certs/trustedCAs.pem

Specifies a file that contains information for each CA that the Samba server trusts so that Samba can verify client certificates. Part of SSL support. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl ciphers = list[global]

Allowable values: list of ciphers

Default: NULL

Specifies which ciphers should be offered during SSL negotiation. Not recommended. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl client cert = filename[global]

Allowable values: name of file

Default: /usr/local/ssl/certs/smbclient.pem

Specifies a file containing the server's SSL certificate, for use by smbclient if certificates are required in this environment. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl client key = filename[global]

Allowable values: name of file

Default: /usr/local/ssl/private/smbclient.pem

Specifies a file containing the server's private SSL key, for use by smbclient. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl compatibility = boolean[global]

Allowable values: YES, NO

Default: NO

Determines whether SSLeay should be configured for bug compatibility with other SSL implementations. Not recommended. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl hosts = host list[global]

Allowable values: list of hosts or networks

Default: NULL

Requires that SSL be used with the hosts listed. By default, if the ssl option is set, the server requires SSL with all hosts. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl hosts resign = host list[global]

Allowable values: list of hosts or networks

Default: NULL

Suppresses the use of SSL with the hosts listed. By default, if the ssl option is set, the server requires SSL with all hosts. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl require clientcert = boolean[global]

Allowable values: YES, NO

Default: NO

Requires clients to use certificates when SSL is in use. This option is recommended if SSL is used. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl require servercert = boolean[global]

Allowable values: YES, NO

Default: NO

When SSL is in use, smbclient requires servers to use certificates. This option is recommended if SSL is used. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl server cert = filename[global]

Allowable values: name of file

Default: NULL

Specifies a file containing the server's SSL certificate. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

ssl server key = filename[global]

Allowable values: name of file

Default: NULL

Specifies a file containing the server's private SSL key. If no file is specified and SSL is in use, the server looks up its key in its server certificate. Requires --with-ssl configure option. Obsolete starting with Samba 3.0.

stat cache = boolean[global]

Allowable values: YES, NO

Default: YES

Makes the Samba server cache client names for faster resolution. Should not be changed.

stat cache size = number [global]

Allowable values: number

Default: 50

Determines the number of client names cached for faster resolution. Should not be changed.

strict allocate = boolean

Allowable values: YES, NO

Default: NO

If set to YES, allocates all disk blocks when creating or extending the size of files, instead of using the normal sparse file allocation used on Unix. This slows the server, but results in behavior that matches that of Windows and helps Samba correctly report "out of quota" messages.

strict locking = boolean

Allowable values: YES, NO

Default: NO

If set to YES, checks locks on every access, not just on demand and at open time. Not recommended.

strict sync = boolean

Allowable values: YES, NO

Default: NO

If set to YES, Samba synchronizes to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets.

strip dot = boolean[global]

Allowable values: YES, NO

Default: NO

Removes trailing dots from filenames. Dysfunctional in Samba 2.2; use mangled map instead.

sync always = boolean

Allowable values: YES, NO

Default: NO

If set to YES, Samba forces the data to disk through fsync (3) after every write. Avoid except to debug crashing servers.

syslog = number[global]

Allowable values: number

Default: 1

Sets the level of Samba log messages to send to syslog. Higher is more verbose. The syslog.conf file must have suitable logging enabled.

syslog only = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, logs only to syslog instead of the standard Samba log files.

template homedir = path[global]

Allowable values: full path to directory

Default: /home/%D/%U

Sets the home directory for Unix login sessions for users authenticated through winbind. %D will be replaced with user's domain name; %U by the username.

template shell = filename[global]

Allowable values: full path to shell

Default: /bin/false

Sets the shell for Unix login sessions for users authenticated through winbind. The default value prevents all Windows domain user logins.

time offset = number[global]

Allowable values: number of minutes

Default: 0

Sets the number of minutes to add to the system time-zone calculation. Provided to fix a client daylight-savings bug. Not recommended.

timestamp logs = boolean[global]

Allowable values: YES, NO

Default: YES

Synonym for debug timestamp.

total print jobs = number[global]

Allowable values: number

Default: 0 (no limit)

Limits total number of current print jobs on server. See also max print jobs.

unix password sync = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, attempts to change the user's Unix password whenever the user changes her SMB password. Used to ease synchronization of Unix and Microsoft password databases. See also password program and passwd chat.

update encrypted = boolean[global]

Allowable values: YES, NO

Default: NO

Updates the encrypted password file when a user logs on with an unencrypted password. Provided to ease conversion from unencrypted to encrypted passwords.

use client driver = boolean[global]

Allowable values: YES, NO

Default: NO

Used for avoiding Access Denied; Unable to connect messages when connecting to a Samba printer from Windows NT/2000/XP clients. Necessary only when the client has a local printer driver for the Samba printer.

use mmap = boolean[global]

Allowable values: YES, NO

Default: varies

Tells Samba whether the mmap( ) system call works correctly on the Samba host. Default is automatically set correctly. Do not change.

use sendfile = boolean

Allowable values: YES, NO

Default: NO

If yes, Samba will perform some data transfers for exclusively oplocked files using the sendfile( ) system call, which results in significant performance improvements. This is available if Samba has been configured with the --with-sendfile-support option. This is an experimental option and is new in Samba 2.2.5.

user = user list

Allowable values: user list

Default: NULL

Synonym for username.

username = user list

Allowable values: user list

Default: NULL

Sets a list of users that are tried when logging on with share-level security in effect. Also called user or users. Discouraged. Use NET USE \\server\share %user from the client instead.

username level = number[global]

Allowable values: number

Default: 0

Specifies the number of uppercase-letter permutations allowed to match Unix usernames. A workaround for Windows' single-case usernames. Use is discouraged.

username map = filename[global]

Allowable values: name of file

Default: NULL

Names a file of Unix-to-Windows name pairs; used to map different spellings of account names and Windows usernames longer than eight characters.

users = user list

Allowable values: user list

Default: NULL

Synonym for username.

utmp = boolean[global]

Allowable values: YES, NO

Default: NO

This is available if Samba has been configured with the --with-utmp option. If set, Samba adds utmp/utmpx records whenever a connection is made to a Samba server. Sites can use this option to record each connection to a Samba share as a system login.

utmp directory = directory[global]

Allowable values: name of directory

Default: NULL

This is available if Samba has been configured with the --with-utmp option. If this option and utmp are set, Samba will look in the specified directory rather than the default system directory for utmp/utmpx files.

valid users = user list

Allowable values: user list

Default: NULL (allows everyone)

Specifies a list of users that can connect to a share. See also invalid users.

veto files = slash-separated list

Allowable values: slash-separated list of filenames

Default: NULL

Specifies a list of files that the client will not see when listing a directory's contents. See also delete veto files and hide files.

veto oplock files = slash-separated list

Allowable values: slash-separated list of filenames

Default: NULL

Specifies a list of files not to oplock (and cache on clients). See also oplocks and fake oplocks.

vfs object = filename

Allowable values: full path to shared library

Default: NULL

Specifies the shared library to use for Samba's Virtual File System (VFS). Requires the --with-vfs configure option.

vfs options = string

Allowable values: space-separated list of options

Default: NULL

Specifies parameters to the VFS. Requires the --with-vfs configure option. See vfs object.

volume = string

Allowable values: share name

Default: NULL

Sets the volume label of a disk share. Especially useful with shared CD-ROMs.

wide links = boolean

Allowable values: YES, NO

Default: YES

If set, Samba follows symlinks out of the disk share. See also the root dir and follow symlinks options.

winbind cache time = number[global]

Allowable values: number of seconds

Default: 15

Sets the amount of time that the winbindd daemon caches user and group information.

winbind enum users = boolean[global]

Allowable values: YES/NO

Default: YES

If set to NO, enumeration of users is suppressed by winbind. Discouraged.

winbind enum groups = boolean[global]

Allowable values: YES/NO

Default: YES

If set to NO, enumeration of groups is suppressed by winbind. Discouraged.

winbind gid = numeric range[global]

Allowable values: integer-integer

Default: NULL

Specifies the group ID range winbind uses for Windows NT domain users connecting to Samba.

winbind separator = character[global]

Allowable values: ASCII character

Default: \

Specifies the character winbind uses to separate a domain name and username.

winbind uid = numeric range[global]

Allowable values: integer-integer

Default: NULL

Specifies the user ID range winbind will use for Windows NT domain users connecting to Samba.

wins hook = command[global]

Allowable values: full path to script

Default: NULL

Specifies a command to run whenever the WINS server updates its database. Allows WINS to be synchronized with DNS or other services. The command is passed one of the arguments add, delete, or refresh, followed by the NetBIOS name, the name type (two hexadecimal digits), the TTL in seconds, and the IP addresses corresponding to the NetBIOS name. Requires wins service = YES.

wins proxy = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, nmbd proxies resolution requests to WINS servers on behalf of old clients, which use broadcasts. The WINS server is typically on another subnet.

wins server = value[global]

Allowable values: hostname or IP address

Default: NULL

Sets the DNS name or IP address of the WINS server.

wins support = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, activates the WINS service. The wins server option must not be set if wins support = YES.

workgroup = name[global]

Allowable values: workgroup name

Default: compiled-in

Sets the workgroup or domain to which the Samba server belongs. Overrides the compiled-in default of WORKGROUP. Choosing a name other than WORKGROUP is highly recommended.

writable = boolean

Allowable values: YES, NO

Default: YES

Antonym for read only; writeable and write ok are synonyms.

writeable = boolean

Allowable values: YES, NO

Default: YES

Antonym for read only; writable and write ok are synonyms.

write cache size = number

Allowable values: decimal number of bytes

Default: 0 (disabled)

Allocates a write buffer of the specified size in which Samba accumulates data before a write to disk. This option can be used to ensure that each write has the optimal size for a given filesystem. It is typically used with RAID drives, which have a preferred write size, and with systems that have large memory and slow disks.

write list = user list

Allowable values: user list

Default: NULL

Specifies a list of users that are given read/write access to a read-only share. See also read list.

write ok = boolean

Allowable values: YES, NO

Default: YES

Synonym for writable.

write raw = boolean[global]

Allowable values: YES, NO

Default: YES

Allows fast-streaming writes over TCP using 64KB buffers. Recommended.

Glossary of Configuration Value Types

boolean

One of two values, either YES or NO.

character

A single ASCII character.

command

A Unix script or compiled program, with an absolute path specified for the executable and parameters.

directory

An absolute path specification to a directory. For example:

/usr/local/samba/lib
filename

An absolute path specification to a file. For example:

/etc/printcap
host list

A list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT.

interface list

A list of interfaces, in either address/netmask or address/n-bits format. For example:

192.168.2.10/255.255.255.0, 192.168.2.10/24
map list

A list of filename remapping strings such as (*.html *.htm).

name

A single name of a type of object, as specified in the option's description.

number

A positive integer.

numeric range

Two numbers separated by a dash, specifying a minimum and a maximum value. For example:

100-250
remote list

A list of subnet-broadcast-address/workgroup pairs. For example:

192.168.2.255/SERVERS 192.168.4.255/STAFF
service (share) list

A list of service (share) names, without the enclosing parentheses.

slash-separated list

A list of filenames, separated by "/" characters to allow embedded spaces. For example:

/.*/My Documents/*.doc/
string

One line of arbitrary text.

user list

A list of usernames and/or group names. @group_name includes whomever is in the NIS netgroup group_name, if one exists, or otherwise whomever is in the Unix group group_name. In addition, +group_name is a Unix group, &group_name is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups.

value

A value of some miscellaneous type, as specified in the option's description.


TOC

  © 2015  CDN  Linux Tags